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Amendments to the Claims : 

This listing of claims replaces all prior versions and listings of claims in the application: 

Listing of Claims : 

1. (Currently Amended) A system, comprising: 

a plurality of collector devices that are disposed to collect connection information to 
identify host connection pairs from packets that are sent between nodes on a network; and 

an aggregator device that receives the connection information from the plurality of 
collector devices, and which produces a connection table that maps each node on the network to 
a record that stores information about packet traffic to or from the node , with the aggregator 
device further comprising: 

a process executed on the aggregator device to detect anomalies in connection 

patterns; and 

a process executed on the aggregator device to aggregate detected anomalies into 
the network events with the anomalies that are detected including denial of service attack 
anomalies and scanning attack anomalies . 

2. (Previously Presented) The system of claim 1 wherein the aggregator determines at 
least in part from connection patterns derived from the connection table occurrences of network 
events that indicate potential network intrusions. 

3. (Previously Presented) The system of claim 2 wherein the aggregator further 
comprises: 

a process that collects statistical information on packets that are sent between nodes on a 
network and which sends the statistical information to the aggregator. 
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Claim 4 is canceled. 

5. (Currently amended) The system of claim 1 wherein the collectors]] devices have a 
passive link to devices in the network. 

Claim 6 is canceled. 

7. (Currently Amended) The system of claim I [[4]] wherein the anomalies include 
unauthorized access and worm propagation. 

8. (Original) The system of claim 1 wherein the connection table includes a plurality of 
records that are indexed by source address. 

9. (Original) The system of claim 1 wherein the connection table includes a plurality of 
records that are indexed by destination address. 

10. (Original) The system of claim 1 wherein the connection table includes a plurality of 
records that are indexed by time. 

11. (Original) The system of claim 1 wherein the connection table includes a plurality of 
records that are indexed by source address, destination address and time. 

12. (Original) The system of claim 1 wherein the connection table includes a plurality of 
connection sub-tables to track data at different time scales. 

13. (Previously Presented) The system of claim 12 wherein the connection sub-tables 
include a time-slice connection table that operates on a small unit of time and at least one other 
sub-table that operates on a larger unit of time than the time slice sub-table with each sub-table 
holding the sum of records received from all collectors during respective units of time. 
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14. (Currently Amended) A method, comprises: 

sending connection information to an aagreuator to identify host connection pairs 
collected from a plurality of collector devices to-an-aggregater; and 

producing in the aggregator a connection table that maps each node on the network to a 
record that stores information about traffic to or from the node, with the connection table 



including a plurality of entries that are indexed by source address . 

15. (Previously Presented) The method of claim 14 further comprising: 

collecting statistical information in the collector devices to send to the aggregator device. 

16. (Currently Amended) The method of claim 15 further comprises: 

determining from the connection information and the statistical information occurrences 
of network anomalies; and 

aggregating anomalies into network events that indicate potential network intrusions and 
communicating occurrences of network events to an operator. 

Claim 17 is canceled. 

18. (Original) The method of claim 14 wherein the connection table includes a plurality 
of entries that are indexed by destination address. 

19. (Original) The method of claim 14 wherein the connection table includes a plurality 
of records that are indexed by time. 

20. (Original) The method of claim 14 wherein the connection table includes a plurality 
of records that arc indexed by source address, destination address and time. 
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21. (Original) The method of claim 14 wherein the connection table includes a plurality 
of connection sub-tables to track data at different time scales. 

22. (Previously Presented) The method of claim 21 wherein the connection sub-tables 
include a time-slice connection table that operates on a small unit of time and at least one other 
sub-table that operates on a larger unit of time than the time slice sub-table with each sub-table 
holding the sum of records received from all collectors during respective units of time. 

23. (Original) A method of detecting a new host connecting to a network comprises: 
receiving statistics collected from a host in the network; and 

indicating to a console that the host is a new host if, during a period of time T, the host 
transmits at least N packets and receives at least N packets, and if the host had never transmitted 
and received more than N packets in any previous period of time with a duration of T. 

24. (Previously Presented) A method executed in a computing device for detecting a 
failed host in a network comprises: 

determining in the computing device, if both a mean historical rate of server response 
packets from a host is greater than M and a ratio of a standard deviation of historical rate of 
server response packets from the host to a mean profiled rate of server response packets from the 
host is less than R over a period of time; and 

indicating the host as a potential failed host if both conditions are present. 

25. (New) The method of claim 23 wherein indicating comprises: 

determining the minimal rate of N/T packets/second to avoid false positives caused by 
scans or spoofing attacks. 

26. (New) The method of claim 24 wherein indicating comprises: 
determining a period seconds of continuous inactivity of the potential failed host to 

expire the potential foiled host after the period of continuous inactivity; and 



Applicant : Massirailiano Antonio Poletto et al. Attorney's Docket No.: 12221-014001 

Serial No. : 10/701,154 
Filed : November 3, 2003 
Page : 6 of 9 

generating a new host event if the expired failed host sends traffic on the network after 
the period of continuous inactivity has elapsed. 

27. (New) The method of claim 24 wherein a host failure indicates an inability by the 
host to generate traffic on the network or an application failure. 



